Symantec adds 'unconfirmed' browser bug count

IE, Firefox buggiest in separate categories

By Robert McMillan | 07 March 06

A report issued today by Symantec appears to bring good news for users of both Mozilla's Firefox browser and Microsoft's IE (Internet Explorer).

In its latest Internet Security Threat Report, covering the second half of 2005, the company features two different ways of counting browser bugs: one that finds IE has the most vulnerabilities, and a second that reports Firefox as the bug-leader.

Firefox had the highest number of 'vendor-confirmed' vulnerabilities, with 13 bugs reported during the six months covered by the report, compared with IE's 12, said Dave Cole, a director with Symantec Security Response.

However, the latest report also includes a count of bugs found by security researchers that have not been confirmed by Microsoft or the Mozilla Foundation, which owns Mozilla. By that count, IE had the most security issues: 24, compared with Firefox's 17.

Symantec decided to begin counting the unconfirmed bugs "partially in response" to feedback from the Mozilla team after it published its previous report in September 2005. That report counted only confirmed bugs: 18 for Firefox and 13 for IE.

"We said, 'Okay, for the next report we'll look at them both,'" Cole said. "It's something we might have looked at anyway."

The report caused a stir amongst Firefox fans, who have long considered their browser more secure than IE.

At the time the Mozilla Foundation criticised Symantec's methodology, saying that counting only the number of confirmed flaws skewed things in Microsoft's favour, because the software vendor tends to group several vulnerabilities together, while Mozilla announces each one individually.

Cole would not say which browser Symantec considers to be the most secure. "The reality is, if there's enough motivation there, people are going to find some way to get in," he said. "The concept of impervious technology is really a mistaken one."

Mozilla and Microsoft representatives were unavailable for comment.

The security company also found that DoS (denial-of-service) and phishing attacks continued to rise. DoS attacks were up by 51 percent on the first half of the year, Cole said. On average, there were 1,400 such attacks each day.

Symantec also tracked "a dramatic growth in phishing", and blocked 1.5 billion phishing messages during the period, up 44 percent from the first half of the year.